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f"->) , Numerous research studies have been investigated on proxy signatures over the last 

decade. This survey reviews the research progress on proxy signatures, analyzes a few 
, notable proposals, and provides an overall remark of these proposals. 
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1 Introduction 

Digital signature is a cryptographic means through which the authenticity, data integrity and 
senders non-repudiation can be verified. Typically, digital signature of a document is a piece 
of information encrypted by the signer's secret key. Numerous researches have shown signif- 
icant contributions to this field using various cryptographic primitives [55]. However, there 
are many practical environments where digital signatures do not possess specific require- 
ments, and thereby digital signatures appear in several other forms viz. proxy signatures, 
multi signatures, blind signatures, etc. For example, a manager of a company wants to go for 
a long trip. He would need a proxy agent, to whom he would delegate his signing capability, 
and thereafter the proxy agent would sign the documents on behalf of the manager. 

The concept of proxy signature was recorded in 1989 [24] : however, the cryptographic 
treatment on proxy signature was geared up after the scheme by Mambo et al [53] in 1996. 
They first classified the proxy signature on the basis of delegation, namely full delegation, 
partial delegation and delegation by warrant, and presented a well devised scheme. In full 
delegation, an original signer gives his secret key to a proxy signer and the proxy signer 
signs document using original signer's secret key. The drawback of proxy signature with full 
delegation is that the absence of a distinguishability between original signer and proxy signer. 
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In partial delegation, the original signer derives a proxy key from his secret key and hands it 
over to the proxy signer as a delegation capability. In this case, the proxy signer can misuse 
the delegation capability, because partial delegation can not restrict the proxy signer's signing 
capability. The weaknesses of full and partial delegations are eliminated by partial delegation 
with warrant. A warrant explicitly states the signers' identity, delegation period and the 
qualification of the message on which the proxy signer can sign, etc. Another important 
requirement of a proxy signature is that the revocation of delegation capability (i.e., proxy 
revocation). The proxy revocation is essential for the situation where original signer key is 
compromised or any misuse of the delegation capability is noticed. It may so happen that 
the original signer wants to terminate his delegation capability before its expiry. Though, 
Mambo et al's [53] scheme presented an informative idea on proxy signatures and its various 
features; however, the scheme allows unlimited delegation, i.e., the proxy signer can sign any 
message because the original signer delegation provides unlimited signing capability to the 
proxy signer. The unlimited signing capability allows proxy signer to misuse the delegation 
capability. 

In 1997, Kim et al [30] proposed a scheme by restricting proxy signer signing capability 
using the concept of partial delegation with warrant. Subsequently, Zhang [87] , [88] proposed 
threshold and non-repudiable proxy signature schemes. Ghodosi and Pieprzyk [26] analyzed 
the shortcomings of [87] and the same is also noticed by Lee et al [33] . Petersen and Horster 
[62] proposed another notion, called self-certified keys under different trust levels and used 
them for creation of delegation capability, delegated signatures and proxy signatures. How- 
ever, the work in [47] and [43] showed that Pertersen-Horster's scheme is insecure. 

In 1999, Okamoto et al [59], for the first time, proposed proxy signature based on RSA 
signature scheme, but they considered the proxy unprotected notion. In the same year, Sun 
proposed two schemes |72| . [76j on threshold proxy signatures. Then, Lee and Kim [36] 
proposed a strong proxy signature scheme. Later, Viswanathan et al [80] proposed a scheme 
for controlled environments. 

In 2000, Sun [73], [73] proposed a multi-proxy signature scheme and a time-stamped 
proxy signature, respectively. Hwang et al [37] presented a non-repudiable threshold proxy 
signature scheme with known signers. Subsequently, Yi et al [86] proposed a proxy multi- 
signature scheme. 

In 2001, Romao and da Silva [65] proposed secure mobile agent with proxy certificates. 
Lee et al [47], [48] proposed two proxy signature schemes and highlighted a few applications. 
However, Wang et al. [82] noticed that Lee et al's scheme [38] is not secure. Park and Lee 
|60j proposed another scheme for mobile communications. 

In 2002, Shum and Wei [70] proposed a proxy signature scheme with proxy signer privacy 
protection, but the scheme's insecurity was noticed in [75] . 

Year 2003 saw a very impressive list of publications demonstrating a vigourous interest 
in the proxy signature study. In this year, a number of new schemes and improvements have 
been proposed [79], [36], [39], [7], [H], [32], [33], [82], [E], [13], [68], [51], [38] [39], [32], 
[33] . [17] , [18], [50], [90], [89], [JJ. However, most of the schemes observed the insecurity of 
previously proposed schemes and proposed an improved one, which was subsequently broken 
by others. 

In 2004, a few interesting schemes [33], [19], [UJ, [14], [69], [83], [52], [35], [77], [78], [85], 
[91], have been proposed. 

In 2005, Lee and Lee [45] further addressed the security weaknesses of [70] . Later, Das 
et al. [20] proposed a pairing-based proxy signature scheme with revocation. 
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In this survey, we review several notable proxy signature schemes categorizing them into 
different constructions based on their security assumptions. The organization of the survey 
is as follows. In the next section, we give a mathematical background for general readership. 
Section [3] discusses the security properties of proxy signature. Section d] details the construc- 
tions of various proxy signatures. Section [5] reviews some of the notable schemes. Finally, 
Section [6] gives an overall remarks on our observations. 

2 Preliminaries 

2.1 Discrete Logarithm Problem 

The discrete logarithm is the inverse of discrete exponentiation in a finite cyclic group. Sup- 
pose G be a finite multiplicative cyclic group of order a large prime q. Let g be a generator 
of G. Then every element y of G can be written in the form y = g k for some integer k. The 
discrete logarithm of y is k and is written as log g y = k mod q. 

In 1976, Diffie and Hellman [21] revolutionized the cryptography and proposed a key ex- 
change protocol without using secure channel, where the security of the protocol relies on 
discrete logarithm problem (DLP). Since then, several key exchange [11], public key encryp- 
tion [12], [55], and signature schemes [22], [27], [71] have been proposed in which the security 
assumptions trust on the hardness of the DLP. 

The Schnorr signature scheme: The scheme S sc h is based on DLP and works as follows: 
Setup (SVdip)- Inputs l k ; and outputs params-dlp. The params-dlp consists of primes q 
and I such that 2 k ~~ 1 < q < 2 k , an element g € Z* of order I that divides q — 1, and a hash 
function h : {0, 1}* — > Zj. 

KeyGen (ICQ dip)- The users agree on a group G (multiplicative group of integers modulo q for 
some prime q with generator g of prime order I in which the DLP is hard. The user chooses 
a secret key x G Z(. The public key is generated as y = g x mod q. 
In other words, user public key <— /C^^ p (params-dlp, user secret key), 

i.e. y ^/C^^p(params-dlp, x) 
Sign (Sdip): To sign a message m, choose a random t 6 Z| and compute r = g l mod q. 
Compute c = h(m, r) and a = (t — xc) mod I. The signature of m is (a, c). 
In other words, a<— <S^ p (params-dlp, (t, r), x, m). 

Verify (Vdip)- Compute r' = g a y c (mod q) and d = h(m,r'). If d = c then the sig- 
nature is valid. In other words, Results V^ p (params-dlp, y, a, m), where Result € 
{Valid, Invalid}. 

The Schnorr's signature scheme is proven secure |71j under the assumption that DLP is hard. 

2.2 Bilinear Pairings 

Bilinear pairings were first introduced to elliptic curve cryptography for destructive methods 
like the MOV reduction [54] . With the help of Weil pairing, the authors of [54j showed a 
way to reduce the DLP on supersingular elliptic curves to the DLP of an extension of the 
underlying finite field. Later, Frey and Ruck [23] extended the attack to general elliptic 
curves with the Tate pairing. However, the Weil pairing and the Tate pairing can also be 
used as a constructive tool for cryptography [9], [TO], [TO], [30] . 

Suppose G\ is an additive cyclic group generated by P of prime order q, and G<i is a 
multiplicative cyclic group of the same order. A map e : G\ x G\ — > G2 is called a bilinear 
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mapping if it satisfies the following properties: 

- Bilinear: e{aP, bQ) = e(P, Q) ab for all P, Q G Gi and a, b G Z*; 

- Non-degenerate: There exist P,Q £ G± such that e(P, Q) 7^ 1; 

- Computable: There exist efficient algorithm to compute e(P,Q) for all P, Q G G\. 

In general, Gi is a group of points on an elliptic curve and G2 is a multiplicative subgroup 
of a finite field. 

Computational Problems 

Definition 1. Discrete Logarithm Problem (DLP) : Given Q, R G Gi, find an integer x G Z* 
such that R = xQ. 

Definition 2. Decisional Diffie-Hellman Problem (DDHP) : Given (P, oP, 6P, cP) for a,b,c G 
Z* determine whether c = ab mod g. 

The advantage of any PPT algorithm A in solving DDHP in G\ is defined as Adv^g^ 
= [Prob[A(P,aP,bP,cP) = l]-Prob[A(P,aP,bP,abP) = 1]: a, 6 G Z*]. For every PPT 
algorithm A, Adv^ is negligible. 

Definition 3. Computational Diffie-Hellman Problem (CDHP) : Given (P, aP, bP) for a, b G 
Z*, compute a&P. 

The advantage of any probabilistic polynomial-time (PPT) algorithm A in solving CDHP 
in d, is defined as Adv^f = Prob [A{P, aP, bP, abP) = 1 : a,b G Z*]. For every PPT 
algorithm .4, Adv^^ is negligible. 

Definition 4. Gap Diffie-Hellman (GDH) group: A prime order group G\ is a GDH group if 
there exists an efficient polynomial-time algorithm which solves the DDHP in G\ and there 
is no PPT algorithm which solves the CDHP with non-negligible probability of success. The 
domains of bilinear pairings provide examples of GDH groups. The MOV reduction [54] 
provides a method to solve DDHP in G\, whereas there is no known efficient algorithm for 
CDHP in Gi. 

Definition 5. Bilinear Diffie-Hellman Problem (BDHP) : Given (P, aP, bP, cP) for a, b, c G Z*, 
compute e(P,P) abc . 

Definition 6. Weak Diffie-Hellman Problem (WDHP) : Given (P,Q,aP) for a G Z* compute 
aQ. 

Since most of our discussions on pairing-based proxy signatures are surrounded by Hess's 
signature scheme [30j, we discuss the scheme as follows. 



The Hess signature scheme: The scheme Shess is based on CDHP and works as follows: 
Setup(5P c ^ p ): It takes l k and master-key s as input; and outputs params-cdhp. The 
params-cdhp includes groups G±, G2 of order prime q; a generator P G G\; a bilinear map 
e : Gi x Gi -» G 2 ; map-to-point H : {0, 1}* G u hash function h : {0, 1}* x {0, 1}* Z* 
and public key of a trusted party, say Key Generation Center (KGC) (Pubxcc = sP). The 
KGC keeps s secret. 

KeyGen {KiQcdhp)'- It takes params-cdhp, user (with identity ID) public key Pubju = H(ID) 
as input; outputs user secret key Sid = sPubm, 

i.e., Sid ^^cdh P (params-cdhp, Pubi D )- 
Sign (S c dhp)- To sign a message m, the signer chooses an arbitrary P\ G G±, picks a random 
t G Z* and computes 

r = e(Pi,P)*. 

c = h(m, r). 

a = cSid + tP\. 



DAS et el 



Proxy Signatures 



5 



The signature of m is the tuple (c, a). 

In other words, a <— 5 c ^ p (params-cdhp, (t,r,c), Sid, tu) 

Verify (V c dhp) : The signature (c, a) is verified by the following checking: 

Compute r' = e(a,P) ■ e(H(ID), —PubKGcY '■ Accept the signature if c = h(m,r'). 

In other words, Results "^^^(params-cdhp, PubiD, PubpcGC, (c, to)), where Result G 

{Valid, Invalid}. 

The Hess's signature scheme is proven secure against existential forgery on adaptive chosen- 
message attack under the assumption that CDHP is hard. 

2.3 Integer Factorization Problem 

The integer factorization (also known as prime decomposition) problem (IFP) is: Input a 
large positive integer; output it as a product of prime numbers. The problem holds a strong 
security assumption in cryptography, complexity theory, and quantum computers. Based on 
IFP, the most widely use scheme for public key encryption and signature is RSA [65j. There 
are many algorithms, protocols, and products where security relies on IFP. 

The RSA signature scheme: The signature scheme S rsa works as follows: 
Setup(<SP rsa ): Inputs l k , secret large primes p, q; and outputs params-rsa. The params- 
rsa consists of a public modulus N = pq and hash function h : {0, 1}* — > Z^r. 
KeyGen {K-Q rsa ): Choose public key e such that 1 < e < (j)(N) which is co-prime to <p(N), 
where (f>(N) = (p— 1). Compute secret key d such that de = 1 mod 0(A r ). Procedurally, 
d^KQ rsa (params-rsa, e). 

Sign (S rsa ) : To sign a message m, compute a = h(m) d mod N. The signature of a message 
m is the tuple (m, a). 

In other words, a <— S rsa (params-rsa, d, m). 

Verify (V rS a) '■ Compute m! = o~ e mod N. The signature is valid if m! = h(m). 
In other words, Results V rsa (params-rsa, e, a, to), Result € {Valid, Invalid}. 

3 Security Properties of a Proxy Signature 

Desirable security properties of proxy signatures have evolved from the introduction of proxy 
signature. A widely accepted list of required properties is given below: 

- Strong unforgeability: A designated proxy signer can create a valid proxy signature 
on behalf of the original signer. But the original signer and other third parties cannot 
create a valid proxy signature. 

- Strong identifiability: Anyone can determine the identity of corresponding proxy signer 
from the proxy signature. 

- Strong undeniability: Once a proxy signer creates a valid proxy signature on behalf of 
the original signer, he cannot deny the signature creation. 

- Verifiability: The verifier can be convinced of the signers' agreement from the proxy 
signature. 

- Distinguishability: Proxy signatures are distinguishable from the normal signatures by 
everyone. 
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- Secrecy: The original signer secret key cannot be derived from any information, such 
as the shares of the proxy key, proxy signatures, etc. 

- Prevention of misuse: The proxy signer cannot use the proxy key for other purposes 
than it is made for. That is, he cannot sign message with the proxy key that have 
not been defined in the warrant. If he does so, he will be identified explicitly from the 
warrant. 

3.1 Classification of Proxy Signature 

According to the nature of delegation capability, proxy signature can be classified as proxy- 
unprotected, proxy-protected and threshold notions. This differentiation is important in 
practical applications, since it enables proxy signature schemes to avoid potential disputes 
between the original signer and proxy signer. 

3.1.1 Proxy-unprotected notion 

The scenario exists when an original signer gives his signing rights (full delegation with 
warrant) to a proxy signer. The original signer sends a signed warrant to the proxy signer, 
who then uses this information to generate proxy signatures by executing a standard signature 
scheme. When a proxy signature is sent, the recipient checks its validity according to the 
corresponding standard signature verification process. As the proxy signer does not append 
his secret key on top of the received delegation, a dishonest original signer can sign the 
message and later claim that the signature was created by the proxy signer. This type of 
proxy signature primarily lacks strong unforgeability property. 

3.1.2 Proxy-protected notion 

This is the scenario when the proxy signer uses his secret key to safeguard him from the 
original signer's forgery. In this case, the original signer sends a signed warrant to the proxy 
signer, who then uses it to construct a proxy key by appending his secret key. With the 
proxy key, the proxy signer can generate proxy signatures by executing a standard signature 
scheme. When a proxy signature is sent, the recipient first computes the proxy public key 
from some public information, and then checks its validity according to the corresponding 
standard signature verification process. By this technique, neither the original signer frames 
proxy signer nor the proxy signer frames original signer. 

3.1.3 Threshold notion 

In a threshold proxy signature, the proxy key is shared by a group of n proxy signers. In order 
to produce a valid proxy signature on a given message m, individual proxy signer produce 
his partial signature on that message, and then combines them into a full proxy signature on 
message m. 

In a (t, n) threshold proxy signature scheme, the original signer delegates his signing capability 
to a proxy group of n members. Any t or more proxy signers of the group can cooperatively 
issue a proxy signature on behalf of the original signer, but (t — 1) or less proxy signers cannot 
forge a signature. 



DAS et el 



Proxy Signatures 



7 



4 Models of Proxy Signature 

Based on the security assumptions on various proxy signature schemes, we categorize the 
existing schemes into four different constructions: DLP-based proxy signature, RSA-based 
proxy signature, ECDSA-based proxy signature, and Pairing-based proxy signature. The 
schemes consist of delegation capability generation, delegation capability verification, proxy 
key generation, proxy signature generation and proxy signature verification. 

4.1 DLP-based Proxy Signature 

The participants involved in the model are: 

- an original signer, who delegates his signing capability to a proxy signer. 

- a proxy signer, who signs the message on behalf of the original signer. 

- a verifier, who verifies the proxy signature and decides to accept or reject. 

- a trusted party who certifies the public key. 

DLP-based Proxy Signature Model: An original signer selects a secret key x Q and 
computes his public key y as 

Do <- /C£ d ip(params-dlp, x ). 
A proxy signer selects a secret key x p and computes his public key y p as 

y P <— /C£^ p (params-dlp, x p ). 
Delegation capability generation: It takes params-dlp, original signer chosen parameters 
(k ,r ), original signer secret key x Q , a warrant uj as input; and outputs signature cr onw, 

Procedurally, o <— S<ii p (params-dlp, (k ,r ), x Q , uj) 
Delegation capability verification: It takes params-dlp, y Q , uj, <t as input; and outputs 
Result, where ResultG {Valid, Invalid} , 

i.e., Results Vd; p (params-dlp, y a , a a , uj). 

Proxy key generation(PKeyGen^ p ): It takes params-dlp, a Q , x p and random number as 
input; and outputs proxy key p p . Typically, the proxy signer uses simple arithmetic operation 
to form a proxy key p p = y a + x p y p mod q. 

Procedurally, p p <— PKeyGen^ p (params-dlp, a Q , x p , pub-param]^) 

Proxy signature generation: It takes params-dlp, proxy key p p and message m as input; 
outputs signature a p on m, i.e, a p <— 5^ p (params-dlp, p p , m) 

Proxy signature verification: It takes params-dlp, y Q , y p , m and a p as input; outputs 
Result, i.e., Results Vdi p (params-dlp, (y Q , y p ), o p , m). 

4.2 RSA-based proxy signature 

The participants involved in the model are: 

- an original signer, who delegates his signing capability to a proxy signer. 

- a proxy signer, who signs the message on behalf of the original signer. 

- a verifier, who verifies the proxy signature and decides to accept or reject. 

- a trusted party who certifies the public key. 

RSA-based Proxy Signature Model: An original signer selects a public key y a and 

computes his secret key x a as 



pub-params include signers' public keys, random numbers, warrant, etc. 
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x <- /C£/ rsa (params-rsa, y D ). 
A proxy signer selects a public key y p and computes his secret key x p as 
x p <— /Ct/ rsa (params-rsa, y p ). 

Delegation capability generation: It takes params-rsa, x Q , a warrant cj as input; and outputs 
signature a on u, Procedurally, a <— 5 rsa (params-rsa, x D , uj) 

Delegation capability verification: It takes params-rsa, y , uj, a Q as input; and outputs 
Result. That is, Results Wsa(params-rsa, y Q , a , uj), where Result € {Valid, Invalid} . 

Proxy signature generation: It takes params-rsa, a Q , x p and message m as input; outputs 
signature a p on m, i.e, a p <— S rsa (params-rsa, x p , (a ,m)) 

Proxy signature verification: It takes params-rsa, y Q , y p , m and a p as input; and outputs 
Result, i.e., Results V rsa (params-rsa, {y ,y p ), a p ,m). 

4.3 Pairing-based proxy signature 

The participants involved in the model are: 

- an original signer, who delegates his signing capability to a proxy signer. 

- a proxy signer, who signs the message on behalf of the original signer. 

- a verifier, who verifies the proxy signature and decides to accept or reject. 

- a trusted party who issues user secret key. 

Pairing-based Proxy Signature Model: The original signer generates his public key y Q = 
H(ID a ), and computes secret key x Q ^/C£/ c d/i P (params-cdhp, y ), where ID Q is original 
signer's identity. 

The proxy signer generates his public key y p = H(ID P ), and computes secret key 
x p <— /Ct/ c rf/i P (params-cdhp, y p ), where ID p is proxy signer's identity. 

Delegation capability generation: It takes params-cdhp, x a and a warrant uj as input; 
outputs signature a on uj, i.e., a <— ^^(params-cdhp, (k ,r ,c ), x , uj). 
Delegation capability verification: It takes params-cdhp, y Q , uj and a as input; and outputs 
Result, i.e., Results Vcd^params-cdhp, (y Q , PubKGc), cr , (c ,uj)), where Result € 
{Valid, Invalid}. 

Proxy key generation: It takes params-cdhp, a , x p and random number as input; and 
outputs proxy key p p ^- PKeyGen c rf/j p (params-cdhp, a Q , {user-par am^j , x p ). 

Proxy signature generation: It takes params-cdhp, proxy key p p and message m as input; 
outputs signature a p on m, i.e., a p <— ^^^(params-cdhp, (k p ,r p ), p p , m). 

Proxy signature verification: It takes params-cdhp, y , y p , m and a p as input; outputs 
Result, i.e., Results (params-cdhp, (y ,y P , Pubxcc), <?p, (c p ,m,uj)). 



2 The user-params includes signers' public keys, random numbers, warrant, etc. 
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Conventions and notation for DLP-based proxy signature schemes 



Alice 


Original signer 


Bob 


Proxy signer 


q 


A large prime 


Zg 


Set of integers modulo q 


z* 


Multiplicative group of Z q 


9 


Generator of large order in Z* 




Secret key of Alice and Bob, respectively 


Vo 


Public key of Alice, y — g x ° mod q 


Vv 


Public key of Bob, y p — g Xp mod q 




A warrant 


h{.) 


A collision-resistant one-way hash function 



5.1.1 Mambo, Usuda and Okamoto |53j 

First classified the proxy signature on the basis of the degree of delegation, and proposed a 
well devised scheme. In the scheme both proxy unprotected and proxy protected notions are 
envisaged. As we are more focused on proxy-protected scheme, here we discuss the proxy- 
protected notion. 

Assumption: DLP is hard. 

Alice selects a secret key x and generates public key y <— /C^^ p (params-dlp, x ). 
Bob selects a secret key x p and generates public key y p <— /C£/^ p (params-dlp, x p ). 
Delegation capability generation: Alice chooses a random number k Q £ Z*^ and computes 
r o = g ko mod q. Alice computes a <— 5^ p (params-dlp, (k ,r ), x ). 
Delegation capability verification: Bob accepts a Q if and only if 

ya/id^V^ p (params-dlp, y , a Q ). 
Proxy key generation: Bob computes proxy key p p <— PKeyGen^ p (params-dlp, a Q , x p , pub- 
par •ams). 

Proxy signature generation: The proxy signature on message m is computed as 

cr p <- 5 rf zp(params-dlp, (k p ,r p ), p p , m). 
Proxy signature verification: The verifier accepts the proxy signature if and only if 

Valid^- V^p(params-dlp, (y ,y p ), cr p , m). 

Security: The underlying security of the scheme is based on the hardness of DLP. However, 
the scheme has two weaknesses. Firstly, unlimited delegation, i.e., Bob can sign any message 
on behalf of Alice because Alice has delegated unlimited signing rights to Bob. Secondly, 
proxy transfer, i.e., If Bob transfers Alice's delegation power to any other party who can sign 
any message on behalf of Alice. In other words, the scheme does not satisfy the prevention 
of misuse security property. 



DAS et el 



Proxy Signatures 



10 



5.1.2 Kim, Park and Won [40J 

Proposed proxy signature for partial delegation with warrant and proxy signature for thresh- 
old delegation. 

Assumption: DLP is hard. 

Scheme for partial delegation with warrant (PDW): 

Alice chooses a secret key x Q and generates public key y Q <— /C<5^ p (params-dlp, x Q ). 
Bob chooses a secret key x p and generates public key y p <— /C<5^ p (params-dlp, x p ). 
Delegation capability generation: Alice chooses a random number k Q € 7E>* q _\ and computes 
r o = 9 k ° mod q. Then, Alice computes a Q <— 5^ p (params-dlp, (k ,r ), x Q , uj). 
Delegation capability verification: Bob accepts a Q if and only if 

V alid^Vdi P (par ams-dlp, y Q , <x , uj). 
Proxy key generation: Bob computes proxy key p p <— PKeyGen^ p (params-dlp, a Q , x p , pub- 
par ams). 

Proxy signature generation: The proxy signature on message m is computed as 

v p *- <S^ p (params-dlp, (k p ,r p ), p p , m). 
Proxy signature verification: The verifier accepts the proxy signature if and only if 

Valid^- V^ p (params-dlp, (y ,y P ), cr P , (w,m)). 

Scheme for Threshold Delegation: In the threshold delegation, Alice sends her delegation to 

a proxy group so that to sign a message the proxy signer's power is shared. 

Alice chooses a secret key x Q and generates public key y Q <— /C£/^ p (params-dlp, x Q ). 

Each proxy signer acts as a dealer with a random secret u, chooses a random polynomial 

such that f(x) = u + a%x + • • • + at-\x l ~ l mod q — 1. The proxy group keys are generated 

as follows: 

Public keys: g u mod q, g ai mod q, ■ • • , <7 a * _1 mod q. 
Secret keys: x P) i = u + a±i + ■ • • + at-ii 1 ^ 1 ; i = 1, 2, • • • ,t. 

Delegation capability generation: Alice chooses a random number k Q € Z* 1 and computes 

r o = 9 mod q. Then Alice computes a Q <— 5^ p (params-dlp, (k ,r ), x a , lo). 

Proxy Sharing: To share cr in a threshold manner with threshold t, Alice chooses random 

bj G Z 9 _i; j = 1, 2, • • • , t — 1, and publishes the values Bj = g bj ,j = 1, 2, • • • , t — 1. Then, 

she computes the proxy share cr, as cr, = f'(i) = a a + b\i + • • • + bt-ii 1 ^ 1 . 

Delegation capability verification: Each proxy signer accepts dj if and only if 

g 1 = yo r a ■ l[ j=1 5j mod q. 
Proxy key generation: Each proxy signer computes proxy key as 

Pp,i PKeyGen^ p (params-dlp, (Tj, x p ^, pub-par ams). 
Proxy signature generation: To sign a message m, each proxy signer computes v = h(l,m), 
where I = g r mod q (r is secret to the proxy signer). Then, the proxy signer computes 
\ = Si + 0{V mod q — 1 and reveals A«, where s« = /(i) = r + a\i + • ■ ■ + at-\i l ~ l . On 
validating Aj, each proxy signer computes a satisfying a = r + <7 w = /(0) + f'(0)v mod g — 1 
by applying Lagrange formula to Aj. The proxy signature on m is the tuple (uj, r a , m, a, v). 
Proxy signature verification: The verifier checks whether v ' = g a • (y ■ y p ) /l ^' ro V ) _t ' mod q, 
and then whether v = h(v',m). 

Security: To the best of our knowledge the proposed PDW scheme is still unbroken. How- 
ever, the intuition in this scheme that using warrant does not require proxy revocation is 
not correct. There are many situations where proxy revocation is a must though warrant 
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explicitly states the validity and restricts the message signing. Sun et al [76] showed that the 
above threshold delegation approach is not secure. 

5.1.3 Zhang [87J 

Proposed threshold and non-repudiable proxy signatures, where both the original signer and 
proxy signer can not falsely deny their signature. 

Assumption: DLP is hard. 

Alice chooses a secret key x Q and generates public key y Q <— /C<5^ p (params-dlp, x Q ). 
Assume that there is a group of n proxy signers Pi, i = 1, ■ ■ ■ , n. 

Proxy key generation: Alice picks k Q G computes R = g ko mod q, and broadcasts R. 

The proxy signer randomly selects Qj € computes y Pi = g ai R mod q, checks whether 

y Pi E and if it holds then broadcasts y Pi . 

Alice computes R = YYi=i Upti an d s = nr x Rx + k mod q — 1 and broadcasts s. Then, each 
proxy signer computes R = Y\1 =1 y Pi ,cr Pi = s + cti mod q — 1, and checks if the equality holds: 
g s = y n H R mod q. If it holds, the proxy signer accepts (7 clS cl valid proxy share. 
The threshold proxy signature and verification are done in similar approaches as in the 
schemes [29]. [25]. 

Security: Lee et al.'s [44J and }76j pointed out some weaknesses in Zhang's threshold proxy 
signatures [H7J. Later, some additional attacks are commented in [26J. 

5.1.4 Petersen and Horster [62J 

Proposed a scheme for self-certified keys issuance under different trust level and used them 
for delegation of signing rights and delegated signatures, proxy signatures. 
Assumption: DLP is hard. 

Alice picks a secret key x Q and generates public key y Q <— /C£/^ p (params-dlp, x Q ). 
Bob picks a secret key x p and generates public key y p <— /C^^ p (params-dlp, x p ). 
Delegation capability generation: Alice picks a random number k Q € Z* 1? computes r a = g ko 
mod q. Then, Alice computes a <— 5^ p (params-dlp, (k ,r ), x Q , ProxylD). 
Delegation capability verification: Bob accepts a if and only if 

Valid*— V^ p (params-dlp, y Q , a Q , ProxylD). 
Proxy key generation: Bob computes proxy key p p <— PKeyGen^ p (params-dlp, a Q , x p , public- 
parameters). 

Proxy signature generation: The proxy signature on message m is computed as 

o-p *- 5 rfip (params-dlp, p p , (m, ProxylD)). 
Proxy signature verification : The verifier accepts the proxy signature if and only if 

Valid*- Vd/ p (params-dlp, (y ,y P ), cr p , (m, ProxylD)). 

Security: The scheme has three weaknesses. Firstly, the proxy signer can deny his signature 
creation later because a proxy signature does not contain any authentic information of proxy 
signer. Secondly, the proxy signer gets a proxy key pair (x p ,y p ) from the original signer. He 
can deny his signature by showing that the proxy signature is created by the original signer 
with the name of him. Thirdly, the original signer sends the signing rights to a proxy signer 
without any agreement or warrant. The original signer can argue that the proxy signature is 
not valid for the concerned message. Moreover, the schemes in [47], [33] further pointed out 
some more weaknesses of this scheme. 
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5.1.5 Sun, Lee and Hwang |76j 

Proposed a (t, n) threshold proxy signature based on Zhang's threshold scheme 
Assumption: DLP is hard. 

Alice picks a secret key x Q and generates public key y Q <— /C^^ p (params-dlp, x Q ). 
Assume that there is a group of n proxy signers Pi, i = 1, • • • , n. Each proxy signer pi has a 
secret key x Pi G Z q ^i and a public key y Pi <— /Ct/^ p (params-dlp, x Pi ). 

Proxy generation: Alice picks k D G 7L q ^\, computes R = g ko mod q, and broadcasts R. Then 
each proxy signer randomly selects «j E computes r Pi = g Qi R mod q. 

Alice computes R = YYi=i r Pi m °d q, and s = n~ 1 x h(R, PGID) + k Q mod q — 1 and broad- 
casts s, where PGID is the proxy group identity that records the proxy status, the event 
mark of the proxy share generation, the expiration time of the delegation, the identities of 
original signer and proxy signers. After validating s, each proxy signer performs a (t, n) veri- 
fiable threshold secret sharing scheme [61], and acts as a dealer to distribute proxy sub-shares 
to other n — 1 proxy signers for generating their valid proxy shares. Each proxy signer pi 
selects a (t — l)-degree polynomial fi(x) = Si + a^ix + a^x 2 + • • • + a^^ix* -1 mod q — 1, 
where Sj = s + aj + x Pi h(R, PGID) mod q — 1. Then pi sends the proxy sub-share fi(J) to 
proxy signer Pj (for 1 < j < n and j ^ i) vis a secure channel. In addition, pi also broadcasts 



n a i.l . . . n ai , t - 1 



n 



After validating all Pi computes x^ = / jfjii) mod g — 1 as his proxy share. Let 

n 

f{x) = ~^2fj(x) mod q — 1. This proxy share can be written as x^ = f(i) and will 
i=i 

be used for generating proxy signatures. The shared secret key is regarded as /(0) = 

n n n n 

hs + ^2ai + ^2 X P M^ PGID) = ^(cti + k Q ) + x Pi h(R, PGID) mod q-1. 

i=l i=l i=l i=0 

Proxy signature generation: Each participant proxy signer pi (1 < i < t) performs a 

(t, t) verifiable secret sharing scheme by randomly choosing a (t — l)-degree polynomial 
t-i 

f[(x) = ^2 a 'i,j x ^ m °d q — 1 and broadcasts • = g ai >i mod q for j = 0, 1 ■ • • , t — 1. Then 

j=0 

Pi computes f!(j) and sends it to pj via a secure channel for 1 < j < n and j ^ i. After 

t 

validating each //(j), each participant proxy signer pi computes x'( = f(i) = mod 

i=i 

t t 
q — 1, where f'(x) = fj( x ) mod g — 1 and Y = ^\ <4 o mod q. Finally, each pi computes 

j=i k=i 
and broadcasts Tj = x^/i(m) + x'-Y mod ? — 1. 

On validating Tj, each pj computes T = f(0)h(m) + /'(0)y mod q — 1 from by applying 
Lagrange's interpolating polynomial, where m is the message. The proxy signature on mes- 
sage m is the tuple (R, PGID, Y, T). 

Proxy signature verification: The verifier accepts the proxy signature if and only if 

h(R,PGID) \ k( m ) 
9 T =\[yo\\y l \ R\ Y Y modq. 
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Security: Hsu et al. [M] and Shao [69J noticed that Sun et al.'s scheme is not secure, it lacks 
coalition attack. 

5.1.6 Lee, Kim and Kim |48| 

Proposed a scheme in which a mobile agent is constructed using non-designated proxy sig- 
nature which represents both the original signer's (customer) and the proxy signer's (remote 
server) signatures. The work provides Schnorr-based and RSA-based constructions for secure 
mobile agent. Here, we give the Schnorr-based construction, the RSA-based construction is 
given in the next section. 

Assumption: DLP is hard. 

Alice chooses a secret key x Q and generates public key y Q <— /C<7^ p (params-dlp, x Q ). 
Bob chooses a secret key x p and generates public key y p <— /C<5^ p (params-dlp, x p ). 
Delegation capability generation: Alice chooses a random number k Q G ^* q -i and computes 
r o = 9 k ° mod q. Then she computes o Q <— 5^ p (params-dlp, (k 01 r ), x D , u>). 
Delegation capability verification: Bob accepts u if and only if 

V alid^Vdi P (par ams-dlp, y , a D , uj). 
Proxy key generation: Bob computes proxy key p p <— PKeyGen^ p (params-dlp, a Q , x p , public- 
parameters). 

Proxy signature generation: The proxy signature on message m is computed as 

o> <- <S^ p (params-dlp, (k p ,r p ), p p , m). 
Proxy signature verification: The verifier accepts the proxy signature if and only if 

Valid <- V^ p (params-dlp, (y ,y p ), cr p , (m,w)). 
Security: Wang et al. [82] showed that the scheme is insecure against transferring, forgery 
attacks. 

5.1.7 Boldyreva, Palacio and Warinschi |7J 

First proposed a formal security notion for proxy signature. At the same time, they proposed 
a provable secure scheme, called triple Schnorr proxy signature scheme, which is an enhanced 
version of the scheme [40] . 
Assumption: DLP is hard. 

Alice chooses a secret key x a and generates public key y Q <— /C^^ p (params-dlp, x Q ). 
Bob chooses a secret key x p and generates public key y p <— /C^rf; p (params-dlp, x p ). 
Delegation capability generation: Alice chooses a random number k Q G and computes 
r Q = g k ° mod q. Then computes a Q <- S^ p (params-dlp, (k ,r ), x D , (u,y ,y p )). 
Delegation capability verification: Bob accepts a a if and only if 

Fa/ic^V^ p (params-dlp, y Q , a a , (u,y ,y p )). 
Proxy key generation: Bob computes proxy key p p *— PKeyGen^ p (params-dlp, a Q , x p , pub- 
par ams). 

Proxy signature generation: The proxy signature on message m is computed as 

o> <- 5 d i p (params-dlp, (k p ,r p ,y ,y p ), p p , m)). 
Proxy signature verification: The verifier accepts the proxy signature if and only if 

Valid <- V rf z p (params-dlp, (y ,y p ), cr p , m)). 
Security: The scheme is based on Kim et al's PDW scheme [3Dj. However, they did not 
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consider warrant in the proxy signing phase which leads unlimited delegation, that is, the 
scheme suffers from delegation misuse. 

5.1.8 Li, Tzeng and Hwang |49| 

Proposed a generalized version (ti/m — £2/^2) proxy signature scheme . The (ii/m — £2/^2) 
proxy signature scheme allows t\ out of n\ original signers to delegate their signing capability 
to a designated proxy group of ti out of proxy signers. The proxy group of proxy signers 
can cooperatively generate the proxy signature on behalf of the original group. Any verifier 
can verify the proxy signature on the message with the knowledge of the identities of the 
actual original signers and the actual proxy signers. 

Assumption: DLP is hard. 

Let the scheme consists of ri\ original signers and n,2 proxy signers. 

For i = 1, 2, • ■ • , m, the original signer chooses a secret key x 0i and generates public key y 0i 

For j = 1,2, •• • , ri2, the proxy signer chooses a secret key x Pj and generates public key y Pj 
<-/C£(iZp(params-dlp, Xpj ). 

Delegation capability generation: For % = 1,2, ••• ,t\ (< n\), the original signer chooses 
a random number k Qj G and computes r Qi = g k °i mod q. Then the original signer 

computes a Qi <— <S^ p (params-dlp, (k 0i ,r 0i ), x 0i , u). A designated clerk (any one of the 
original signers) verifies the individual proxy shares as whether 
Valid<^- V<flp(params-dlp, y Qi , a Qi , u). 

h 

If it holds, the clerk combines the individual proxy shares as a Q = a Qi mod q — 1. The 

i=l 

ti 

final proxy share is the tuple (u, K,a ), where K = JJ r o 4 - 

»=i 

Delegation capability verification: Bob accepts a Q if and only if 
V alid^Vdi P (par ams-dlp, (K,y ), cr , u). 

Proxy signature generation: Each proxy signer selects a random integer k Pj G Z* lf computes 
r Pj = g kp o mod q, and broadcast r Pj . Then, each proxy signer computes R = Y[j 2 =i r p 3 m od 
q and o p . = k Pj R + {pot^ 1 + x 0i y 0i ) h ^ m ' R,Pr ' oxyID " > mod q — 1, where ti is the threshold value 
of the proxy signers group. 

A designated clerk verifies the individual proxy signature as whether 

g "Vi = r R ((^^^ i ^^( w ' X ))i 2 - 1 y ^)/ l (m,i?,Pro^7D) mod g _ lnt doeg) the derk combines 

the individual proxy signature of m as a = Y^j=i a p 3 m od q — 1. The proxy signature of m 
is (u, K, m, R, a). 

Proxy signature verification: A verifier checks the validity of the proxy signature on m 
whether g° = R R (K K Utl Vof^^ 11?=! Vv7 ) h ^ Prox y ID ^ mod q. 
Security: The security analysis of the scheme is not rigorous. 

5.1.9 Herranz and Saez [33] 

Proposed a distributed proxy signature scheme. The scheme extended the work in [7] to the 
scenario of fully distributed proxy signature schemes. 
Assumption: DLP is hard. 
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Generation of keys: Let E = {PW,P» 3 J, • • • ,P^} be a distributed entity formed by n 

participants. There is an access structure T C 2 E , which is formed by those subsets of 

participants which are authorized to perform the secret task. The access structure must be 

monotone increasing; that is, if A\ G T is authorized and Ai C A2 C E, then Ai must be 

authorized. The joint generation of discrete logarithm keys is as follows: 

Each participant P^ G E obtains a secret value E The values {x^} P (i) £E form a 

sharing of the secret key x £ according to some linear secret sharing scheme realizing 

the access structure T. The corresponding public key y = g x mod q is made public, along 

with other values (commitments) which ensure the robustness of the protocol. 

The fully distributed triple Schnorr proxy signature scheme is generated in a similar way of 

the Boldyreva et al's scheme [7]. 

Security: The scheme is as secure as Kim et al's PDW scheme |40j . 
5.1.10 Malkin, Obana and Yung [52] 

Presented a formal model for fully hierarchical proxy signatures with warrant that supports 
chains of several levels of delegation. 

Assumption: DLP is hard. 

The signers' selects secret key x^ and computes public key yi <— /C^rf; p (params-dlp, Xi). 
Delegation capability generation: This is an interactive process between the designator and 
proxy signer. It takes public keys of a designator y% h _ x and a proxy signer yi L , the signing 
key of which the designator delegates its signing right (i.e., the signing key is either a signing 

key Xi L _ x or a proxy key <7j D > j i l depending on whether ii-i is original signer or proxy 

signer), a warrant up to previous delegation Wl—i and a warrant ujl set in current delegation 
as inputs; outputs delegation rights. 

Proxy key generation: It takes public keys of a designator and a proxy signer yi v the 
secret key of the proxy signer Xi L as inputs and outputs a proxy key Oi a >i L and a warrant 

U. 

Proxy signature generation : The proxy signature on message m is computed as 

o p <- 5 d zp(params-dlp, a io ...^ iL , (m,uj)). 
Proxy signature verification : The verifier accepts the proxy signature if and only if 

Valid <- Vdi P (params-dlp, y io , a p , (m,u)). 

Security: The scheme formalizes a model of fully hierarchical proxy signature, which is a 
probably secure model to the best of our knowledge. 

5.2 RSA-based Proxy Signature 
5.2.1 Okamoto, Tada and Okamoto [59] 

Proposed a scheme that reduces the computation and storage cost during the protocol exe- 
cution, and the protocol is suitable for implementation in smart card. 

Assumption: IFP is hard and smart card is tamper resistant. 

Alice chooses a public key y Q and generates secret key x Q <— /CC/ rsa (params-rsa, y Q ). 
Delegation capability generation: Alice computes a Q <— 5 rsa (params-rsa, x Q , (uj,I p )) where 
I p denote the limit of money which she can spend. 
Delegation capability verification: Bob accepts a Q if and only if 
Wi^c^V rS a (params-rsa, y Q , a Q , (uj,I p )). 



DAS et el 



Proxy Signatures 



16 



Conventions and notation for RSA-based proxy signature schemes 


Alice 


Original signer 


Bob 


Proxy signer 


N ,N p 


RSA Modulus for Alice and Bob, respectively 


Vo 


Public key of Alice, where 1 < y a < 4>(N ) 


Vv 


Public key of Bob, where 1 < y p < <j>(N p ) 


Xq 


Secret key of Alice, where x y = 1 mod </>(N ) 


Xp 


Secret key of Bob, where x p y p = 1 mod (f>(N p ) 


UJ 


A warrant 


h(.) 


A collision-resistant one-way hash function 



Proxy signature generation: To sign a message m, Bob generates a random number k p £ Z%, 
and computes 

r = g k P h ^a Q mod N a 

s = g-y° k p mod N a . 
The proxy signature of message m is the tuple (m, (r, s), I p ). 

Proxy signature verification: The verifier checks whether (ID p ,uj) = h(I p )r y °s h ^ m ^ mod N . 
If it does, the verifier accepts it as a valid proxy signature. Otherwise, rejects it. 

Security: The scheme has a weak security as it is designed as a proxy-unprotected scheme, 
where Alice can frame Bob by signing the message and later claim that Bob has signed the 
message. 

5.2.2 Lee, Kim and Kim [48] 

A mobile agent is constructed in the scheme using non-designated proxy signature which 
represents both the original signer's (customer) and the proxy signer's (remote server) sig- 
natures. 

Assumption: IFP is hard. 

Alice chooses a public key y a and generates secret key x Q <— /C<7 rsa (params-rsa, y ). 
The mobile agent (proxy signer) chooses a public key y p and generates secret key 

x p ^/C£ rsa (params-rsa, y p ). 
Delegation capability generation: Alice creates a *— 5 rsa (params {AlicelD, req)), 

where req is the customer requirements for purchase such as price range, date, delivery re- 
quirements, etc. 

Delegation capability verification: The mobile agent accepts a D if and only if 

Valid-*— V rsa (params-rsa, y , &o, (Alice ID, req)). 
Proxy signature generation: Let BID be the agent's bid information which conforms to req. 
The agent (remote server) tries to sell the product to Alice. The remote server computes 
x = h(AliceID,req,AgentID,BID) Xp mod N p , y = h(AliceID,req) x mod A^ D and z = a x 
mod N Q . Then sends the tuple (AliceID,req, AgentID, BID, x,y, z) to the mobile agent 
and the agent will get back to Alice with this tuple as a receipt of the purchase. 
Proxy signature verification: Alice receives (AlicelD, req, AgentID, BID, x, y, z) from the 
mobile agent, then she can verify the validity of the purchase by the following: 

- Whether h(AliceID, req, AgentID, BID) = x y ? mod N p . 

- Whether y = h(AliceID, req) x mod N a . 

- Whether y = z y ° mod A^ D . 
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- Whether BID € {req}. 

Security: Wang et al. [82] showed that the scheme is insecure and inefficient. 

5.2.3 Shao [68] 

Proposed a proxy signature scheme based on the factoring problem, which combines the RSA 
signature scheme and the Guillou and Quisquater [28] signature scheme. 
Assumption: IFP hard and Guillou-Quisquater signature is secure. 

Alice chooses a public key y D and generates secret key x Q <— /C£/ rsa (params-rsa, y ). 

Bob chooses a public key y p and generates secret key x p <— /C(/ rsa (params-rsa, y p ). 

Delegation capability generation: Alice computes proxy key v = h(uj, ProxyID)~ x ° mod N Q , 

u = [v/Npj and z = v Vp mod N p . The delegation is the tuple (uj,z,u). 

Delegation capability verification: Bob recovers v = u x N p + (z Xp mod N p ). 

Proxy signature generation: Let m be the message to be signed by Bob. Bob does the 

following: 

- Randomly chooses an integer t G [l,iV ] and computes r = t y ° mod iV . 

- Compute k = h(m,r) and x = k Xp mod N p . 

- Compute y = tv k mod N . 

The proxy signature on message m is (m,u,x,y, Proxy ID). 
Proxy signature verification: The verifier checks the following: 

- Compute k' = x Vp mod N p . 

- Compute r' = y yo h(co,ProxyID) k mod A^ D . 

- Check whether k' = h(m,r'). 

Security: The security of the scheme is based on Guillou-Quisquater signature scheme [28] . 
However, the author did not give the formal security proof. 

5.2.4 Das, Saxena and Gulati |19] 

Proposed a proxy signature scheme that provides effective proxy revocation mechanism. 
Assumption: IFP is hard. 

In addition to Alice and Bob, a trusted server (TS) is another participant in the scheme for 
time stamp issuance. 

Alice chooses a public key y Q and generates secret key x Q <— /C£/ rsa (params-rsa, y ). 
Bob chooses a public key y p and generates secret key x p <— /C£/ rsa (params-rsa, y p ). 
TS chooses a public key y s and generates secret key x s <— /C<7 rsa (params-rsa, y s ). 
Delegation capability generation: Alice computes the delegation capability a Q as 

o ^- 5 rsa (params-rsa, x Q , (u,y p ,y s )). 
Delegation capability verification: Bob accepts o if and only if 

^a/iii^Vrsa (params-rsa, y , a Q , (u,y p ,y s )). 
Proxy signature generation: Let m be the message to be signed. Bob requests a time stamp 
to the TS and sends (R, m, y Q , y p ), where R <— 5 rsa (params-rsa, x p , (m, u, y Q , y p )). The TS 
verifies whether V rsa (params-rsa, y p , R, (m,co,y ,y p )). If it holds, the TS ascertain 

the following conditions are true before the time stamp is issued: 

- Alice's public key y Q is not in the public revocation list maintained by the TS. 

- u> is not expired. 

Now, TS computes T m <— <S rsa (params-rsa, x s , (m,uj,y ,y p ,T)), where T denotes a time 
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stamp. Then, TS sends (T m ,T) to Bob over a public channel. 

Bob accepts T if and only if ya/id^V rsa (params-rsa, y s , T m , (m,u},y ,y p ,T)). 

If it holds, Bob generates proxy signature as a p = (h(m, u>, y Q , y s ,T)(&a ) Xp mod N p , otherwise 

rejects the time stamp and makes another request to the TS. The proxy signature of message 

m is (m,u,T,T m ,ap). 

Proxy signature verification: The verifier checks the following to validate a proxy signature: 

- Whether Valid^- V rsa (params-rsa, y s , T m , (m,uJ,y ,yp,T)). If it holds, the verifier is 
assured that the time stamp in the signed message is correct. Otherwise, he rejects the 
signed message. 

- Whether h(u>,y p ,y s ) = (o v v v mod N p © h(m,u>,y ,y s ,T)) y ° mod N a . If it holds, he 
accepts the signed message. Otherwise, he rejects it. 

Security: The scheme provides an effective proxy revocation mechanism. The scheme is secure 
on the assumption that IFP is hard. However, the scheme does not work when N p > N Q , 
but it is a valid assumption because typically the proxy signer key strength should not be 
greater than the original signer key strength. 

5.3 ECDSA-based Proxy Signature 
5.3.1 Chen, Chung and Huang [13j 

Proposed a scheme for proxy multi-signature based on elliptic curve cryptosystem that re- 
duces high computational overheads of Sun's scheme [74j . 

Assumption: ECDLP is hard. 

Let B = {xbi ys) be a point in E(F q ) for a large prime q, the order of B is assumed as t. 
For each 1 < i < n, the original signer secretly selects a random number 1 < d , < t — 1 as 
her private key and computes the corresponding public key Qi = di x B = (xQ i , yq i ) . 
The proxy signer selects a private key 1 < d p < t — 1 and computes corresponding public key 
Q P = d p x = {x Qp ,y Qp ). 

Delegation capability generation: For each 1 < i < n, the original signer Ai selects a random 
number 1 < fcj < t — 1, computes r» = ki x B = (x n ,y ri ) and Si = Xi ■ XQ i ■ h(uj, ri)ki mod t. 

Delegation capability verification and proxy key generation : For each 1 < i < n, the proxy 
signer computes f7, = (xQ i ■ h(uj,n) mod t) x Qi - s, x B = (xu^yUi) using r^Sj). If 
%Ui = x n mod t, the proxy signer accepts Sj as a valid delegation of signing right; otherwise, 
he rejects it. If the proxy signer validates all (u;,rj,Sj) in which 1 < i < n, s/he then com- 
putes d = d p ■ xq p + Yl7=l Si m °d i as a valid proxy key. 

Proxy signature generation: When the proxy signer signs a message m for A±,- ■■ ,A n , he 
executes the signing operation of a designated signature scheme using the signing key d. The 
resulting proxy signature is the tuple (m, a Sp (m),ri , r2, • • • , r n , uj). 

Proxy signature verification: The verifier computes the proxy public key Q corresponding 
to the proxy key s p for verifying the proxy signature by the designated signature scheme: 

Q = X Q P x Qp + ( x Qi ■ Ku, n) mod t x Qi H h (x Qn ■ h(u, r n ) mod t x Q n {r\ H h r n ). 

With the newly generated proxy public key Q, the verifier confirms the validity of a Sp (m) by 
validating the verification equation of the designated signature scheme. 
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Security: The authors did not consider any security model for their scheme, instead, a heuris- 
tic security analysis is given to safeguard the scheme. 

5.4 Pairing-based Proxy Signature 



Conventions and notation for pairings-based proxy signature schemes 



Alice Original signer 
Bob Proxy signer 

G\ A cyclic additive group, whose order is prime q 

G2 A cyclic multiplicative group of the same order q 

P A generator of G\ 

e A bilinear pairing map 

H(-) Map-to-Point function 

h(-) Collision- resistant one-way hash function 

s PKG's master-key 

PubKGC KGC's public key, PubKGC = sP 

y 0l x Alice's public key and secret key, respectively, y — H(ID Q ) 
y p ,x p Bob's public key and secret key, respectively, y p = H(ID p ) 



5.4.1 Zhang, Safavi-Naini and Lin |90j 

Proposed an ID-based proxy signature based on Hess's ID-based signature. 
Assumption: WDHP is hard. 

Alice computes her public key y Q = H(ID Q ), where ID is her identity. Then, Alice obtains 
her secret key x Q ^/Ct/ c ^p(params-cdhp, y Q ) from KGC. 

Bob computes his public key y p = H(ID P ), where ID p is his identity. Then, Bob obtains his 
secret key x p ^/C£/ Cf ^p(params-cdhp, y p ) from KGC. 

Delegation capability generation: Alice computes o Q <— 5 c ^ p (params-cdhp, (k Q , r Q , c G ), 
x , to). 

Delegation capability verification: Bob accepts a if and only if 

ya/id^V crf / ip (params-cdhp, y Q , a , (c ,u)). 
Proxy key generation: Bob computes proxy key p p <— PKeyGen c ^ p (params-cdhp, cr , c , 
x p ). 

Proxy signature generation: Bob picks a random number k p € computes 
r p = e(P,P) k p, c p = h(m,r p ) and a p <- 5 crf/tp (params-cdhp, (k p ,c p ), p p , m). 
Proxy signature verification: The verifier accepts the proxy signature if and only if 
V r a/id<-V cd / ip (params-cdhp, (y ,y P ), cr p , (cp,m,u)). 

Security: The security proof is not rigorous. Only heuristic security analysis is given to 
safeguard the scheme. 

5.4.2 Chen, Zhang and Kim |15| 

Proposed a multi-proxy signature scheme, where Alice delegates her signing capability to I 
proxy signers. 

Assumption: CDHP is hard. 
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Alice computes her public key y Q = H(ID Q ), where ID is her identity. Then, Alice obtains 
her secret key x Q ^/Ct/ c ^ p (params-cdhp, y ) from KGC. 

Each proxy signer computes his public key y Pi = H(ID Pi ), where ID Pi is his identity. Then, 
Each proxy signer obtains his secret key x Pi <— /Ct/cd/^params-cdhp, y Pi ) from KGC. 
Delegation capability generation: Alice picks a random number k € Z* 1 , computes r Q = 
e(P,P) k °, c = h(u,r ) and a <- ^^(params-cdhp, (k ,r ,c ), x , to). 
Delegation capability verification: Each proxy signer accepts a Q if and only if 

(/c p ,Cp),^V cd / ip (params-cdhp, y Q , a a , (c ,uj)). 
Proxy key generation: Each proxy signer computes proxy key as 

p Pi <- PKeyGen cd/ip (params-cdhp, a Q , c Q , x Pi ). 
Proxy signature generation: Each proxy signer performs the following operations to sign a 
message m: 

- Pick randomly k Pi S Z*_ x , computes r Pi = e(P, P) kp i and broadcasts r Pi to the remain- 
ing / — 1 proxy signers. 

- Compute r p = Yl\ =l r Pi and c p = h(m,r p ), a Pi = c p p Pi + k Pi P. Then, send a Pi to a 
designated clerk (one of the proxy signers). 

I 

- The clerk verifies the individual proxy signature and computes a p = <r Pi . The proxy 

i=l 

signature of message m is the tuple (m, u, r a , Cp, a p ). 

Proxy signature verification: The verifier accepts the proxy signature of message m if and 

I 

only if c p = h(m, e(a p , J P)(e(^( 2/o + y Pl , Pub KGC ) h{uJ ' ro) ■ r l )^ . 

i=l 

Security: The security proof is not rigorous. 
5.4.3 Xu, Zhang and Feng [85J 

Formalized a notion of security for ID-based proxy signature schemes and presented a proxy 
signature scheme. 

Assumption: CDHP is hard. 

Alice computes her public key y Q = H(ID Q ), where ID is her identity. Then, Alice obtains 
her secret key x Q ^^(/^^(params-cdhp, y Q ) from KGC. 

Bob computes his public key y p = H(ID p ), where ID p is his identity. Then, Bob obtains his 
secret key x p ^^(/^^(params-cdhp, y p ). from KGC. 

Delegation capability generation: Alice randomly picks k Q G Z*, computes r Q = k Q P, 
C = H (ID , u, r a ) and a a = x Q + k C , where H a : {0, 1}* x {0, 1}* X G\ — > G\. 
Delegation capability verification: Bob accepts a a if and only if 

e(a Q ,P) = e(Pub K GC,yo)e(ro,C ). 
Proxy key generation: Bob computes proxy key p p = hi(ID Q , ID p ,u!,r )x p + a Q , where 
hi : {0, 1}* x {0, 1}* x {0, 1}* x G x -»■ Z*. 

Proxy signature generation: To sign a message m, Bob does the following: 

- Picks k p £ Z*_ 1? computes r p = k p P and then puts C p = H (ID p ,m,r p ). 

- Computes a p = p p + k p C p . 

The proxy signature of message m is the tuple ((r ,r p ), a p , (u,m)). 
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Proxy signature verification: The verifier accepts the proxy signature of message m iff 
e(a p ,P) = e(Pub KG c,y P ) h ^ ID °' ID ^ r °»e((Pub KGC ,yo)e(^ 

Security: Security of the scheme is based on the CDHP in the random oracle model. The 
scheme takes large computation cost. 

5.4.4 Zhang, Safavi-Naini and Susilo |91j 

Proposed a proxy signature scheme based on a short signature scheme. 
Assumption: CDHP is hard. 

Alice computes her public key y Q = H(ID Q ), where ID is her identity. Then, Alice obtains 
her secret key x Q ^/Ct/ c ^p(params-cdhp, y Q ) from KGC. 

Bob computes his public key y p = H(ID p ), where ID P is his identity. Then, Bob obtains his 

secret key x p <— ^^^^(params-cdhp, y p ) from KGC. 

Delegation capability generation: Alice computes a Q = (s Q + h{uj) y p . 

Delegation capability verification: Bob accepts a a if and only if 

e(h(u)P + y ,a ) =e(P,y p ). 
Proxy key generation: Bob computes p p = x p a a . 

Proxy signature generation: To sign a message m, Bob does the following. 

- Chooses a random number r € and computes U = r ■ (h(uj)P + y Q ). 

- Computes t = H2(m, U) and a p = (t + r) _1 /9 p , where H2 : {0, 1}* x G\ — > Z*. 
The proxy signature of message m is (U, cr p ,uj). 

Proxy signature verification : The verifier verifies whether 
e(U + H 2 (m,U)(h(uj)P + y ) 1 a p ) = e(y p ,y p ). 

Security: Security of the scheme is based on CDHP in the random oracle model. 

5.4.5 Das, Saxena and Phatak |20j 

Proposed a proxy signature scheme based on Hess signature scheme that provides effective 
proxy revocation mechanism and avoids key escrow problem. 

Assumption: CDHP is hard. 

Alice computes her public key y Q = H(ID Q ), where ID Q is her identity. Then, Alice generates 
her secret key x Q ^/CC/cd^params-cdhp, y a ). 

Bob computes his public key y p = H(ID p ), where ID p is his identity. Then, Bob generates 
his secret key x p ^^^/^^(params-cdhp, y p ). 

Delegation capability generation: Alice computes a = (s + b H'(uj,y ,y p ), and ip = b Q P. 
Here, b Q is secret to the original signer only and H' : {0, 1}* X G\ X G% — > G\. 
Delegation capability verification: Bob accepts a a if and only if 

e(s ,P) = e(ip ,H'(oj,y ,y p )) ■ e(y ,Reg ), where Reg Q = sb Q P, registration 
token published by the KGC. 

Proxy key generation: Bob computes p p = s Q + s p + b p H'(u>, y Q , y p ). Here, b p is secret to the 
proxy signer only. 

Proxy signature generation: To sign a message m, Bob does the following. 

- Selects a random r G Z* and compute R = rP. 

- Computes a = h(m, R, y p ) and ijj p = b p P, where h : {0, 1}* x G\ x G\ — > {0, 1}*. 

- Computes a p = [r + a) _1 /9 p . 

The proxy signature of message m is (u, m, R, a p , ip , tp p , y Q , y p ). 
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Proxy signature verification : The proxy signature is valid if and only if 

e(R + h(m,R,y p )P,(Tp) = e(ip + ip p , H'(u, y Q , y p )) ■ e(y ,Reg ) ■ e(y p ,Reg p ). 

Security: The scheme is proven secure and does not require secure channel in the key issuance. 

6 Concluding Remarks 

We reviewed a few seminal work on proxy signatures from the different security assumptions. 
We now compare the reviewed schemes in a tabular manner, highlighting the important fea- 
tures at a glance. In the following, TablelT] depicts the features of DLP-based schemes, Table-E] 
depicts the features of RSA-based schemes, and Tab le-[3] depicts the features of Pairing-based 
schemes. 



Features 
Schemes | 




Secure 


Secure 
Channel 


Proxy Re- 
vocation 


Remarks 


Mambo et al 53J 


No 


Yes 


Partial 


Unlimited delegation 
and misuse of delegation 


Kim ct al[40j 


Yes 


No 


No 


Secure 


Zhang[87J 


No 


Yes 


No 


Insecure 


Lee et al|48j 


No 


No 


No 


Insecure, suffers from 
Transferring, Forgery 
attacks 


Boldyreva 


et 


Yes 


No 


No 


Based on [40 and for- 
malizes the security no- 
tion, but unlimited del- 
egation 


Li et ai|49j 


Yes 


No 


No 


No formal security anal- 
ysis 


Herranz et al 33J 


Yes 


No 


No 


Distributed proxy sig- 
nature, ideas based on 
Boldyreva et al[7] 


Malkin et al|52] 


Yes 


No 


No 


Secure, based on [40] . 
hierarchical delegation 


Table 1: Computation time: DLP-based proxy signatures 


Features 
Schemes J. 




Secure 


Secure 
Channel 


Proxy Re- 
vocation 


Remarks 


Okamoto 
al[55] 


et 


Yes 


Yes 


No 


Docs not provide strong 
unforgeability and pre- 
vention of misuse 


Lee at al 48 


No 


Yes 


No 


Insecure 


Shao68J 


No 


Yes 


No 


No formal security proof 


Das et al[19 


Yes 


No 


Yes 


N p < N 



Table 2: Computation Time : RSA-based proxy signatures 

It is observed that many times, a paper typically breaks a previous scheme and proposes 
a new one, which someone breaks later and, in turn, proposes a new one, and so on. Most of 
such work, though quite important and useful, essentially provides an incremental advance 
to the same basic theme. 
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Features — > 
Schemes j 


Key 
Escrow 


Secure 
Channel 


Proxy Re- 
vocation 


Remarks 


Zhang et al [90] 


Yes 


Yes 


No 


No tormal security 
proof, suffer from key 
escrow, need secure 
channel 


Onen et al[ioj 


Yes 


Yes 


INO 


No formal security 
proof, suffer from key 
escrow, need secure 
channel 


Xu et al|85j 


Yes 


Yes 


No 


Takes high computation 
cost, suffer from key es- 
crow, need secure chan- 
nel 


Zhang et al[91] 


Yes 


Yes 


No 


suffer from key escrow, 
need secure channel 


Das et al[20] 


No 


No 


Yes 


Secure, no key escrow, 
no secure channel 



Table 3: Computation Time : Pairing-based proxy signatures 



The authors tried to explore whether there are any real implementation of various proposed 
proxy signatures. They contacted over email individual author(s) of some of the papers, 
to learn whether their proposed scheme is used in real life scenario? Unfortunately, the 
responses from several authors indicated that they were not aware of such applications which 
use their scheme. Some even suggested that, since the authors work with real life banks 
problems, whether it will possible to try their scheme in such applications. 
In conclusion, we believe that the actual deployment of proxy signatures is yet to start in 
a big way. However, as and when this happens, the research work being carried out will 
certainly provide practically usable implementations. 
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